GDPR Article 32: Security of Processing Explained
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, resilience, restore capability, and regular testing.
OFFICIAL REFERENCE (PARAPHRASED)
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures. (GDPR Article 32(1))
Last reviewed: June 2026. Not legal or audit advice.
WHAT EVIDENCE SATISFIES THIS
- ✓ Encryption at rest and in transit documentation
- ✓ Information security policy
- ✓ Penetration test or vulnerability assessment reports
- ✓ Business continuity and restore test records
- ✓ Access control and MFA evidence
Cross-framework overlap
This control requirement also appears in:
See this control in your personalized checklist
Start free →See your readiness in 5 minutes
Answer a few questions and get a personalized, actionable checklist, free, no card.
Get your free checklist →